EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.
Insights
Asking the better questions that unlock new answers to the working world's most complex issues.
Services
EY helps clients create long-term value for all stakeholders. Enabled by data and technology, our services and solutions provide trust through assurance and help clients transform, grow and operate.
Industries
Discover how EY insights and services are helping to reframe the future of your industry.
See more
Case studies
About us
At EY, our purpose is building a better working world. The insights and services we provide help to create long-term value for clients, people and society, and to build trust in the capital markets.
See more
Top news
Press release
EY Entrepreneur Of The Year 2025 UK finalist shortlist announced
16 Oct 2025Chris Brown
Recent Searches
Trending
-
How do CEOs reimagine enterprises for a future that keeps rewriting itself?
EY-Parthenon CEO Outlook 2026 explores how leaders use AI, transformation and portfolio strategy to navigate uncertainty and drive sustainable growth.
20 Jan 2026 CEO agenda -
How reframing trust allows firms to navigate change and unlock growth
Reframing trust helps organizations navigate change, manage risk and unlock new growth opportunities in a rapidly evolving world. Explore how.
16 Jan 2026 -
What UK financial services regulation means for firms in 2026
UK financial services regulation balances growth and stability. Firms must focus on financial crime, operational resilience, AI and volatility. Learn more.
11 Dec 2025 Financial services
Data protection privacy policies for applicants
-
Last updated: 10/12/2025
1. Introduction
We are Ernst & Young LLP (“EY”) (“we” or “us”) and are registered in England and Wales under registration number OC300001. Our registered office is at 1 More London Place, London, SE1 2AF.
This notice explains how we will handle any personal data that you provide, or we otherwise obtain in connection with your application for a job with us.
For the purposes of data protection law, we are the ‘controller’ of this personal data.
2. How and why we use your personal data
In this section we have set out:
- the general categories of personal data that we will process in connection with your application;
- the purposes for which we may process that personal data; and
- the legal basis for that processing.
We mainly rely on two legal bases for processing your personal data:
- our legitimate interests, as data controller in some circumstances (more information round those circumstances can be found below).
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
Personal data collected
Reason for processing
Lawful basis for the processing
Basis for processing special categories of personal data or data relating to criminal convictions and offences
Registration data: username, email address, and password
Creating a user account for you, enabling you to access your account once created, keeping your account secure and communicating with you in connection with your application.
Performance of a contract - enabling applicants to submit, and us to receive and consider, applications for jobs with us.
EY’s legitimate interest in processing and managing applications for roles at EY, including the screening and selection of candidates
N/A
Required verification data: Passport number, passport expiry date, university early career ID number, and university or school admissions team contact names
This information is required to verify your identity at point of offer to avoid against false or suspicious applications
EY’s legitimate interest in avoiding false, suspicious, or fraudulent activity within early career applications to EY.
Username, email address, and Application data
Contacting you about subsequent job opportunities with us in the event that your application for this recruitment round is unsuccessful
EY’s legitimate interest in processing and managing applications for roles at EY, including the screening and selection of candidates
If you do not want us to use your username, email address, and Application Data in this way, you can request we stop at any time by sending us an email
N/A
Application data: contact details, educational and employment history, information about your skills, qualifications and experience and any other information we ask you to provide and/or which you choose to provide in your answers
For the purposes of considering your application for a job with us and communicating with you in connection with your application
Performance of a contract - assessing the suitability of applicants for jobs with us
EY’s legitimate interest in processing and managing applications for roles at EY, including the screening and selection of candidates
N/A
Equal opportunities data: Age, Gender, Race or ethnic origin, Religion or belief, Disability, Sexual Orientation and socio-economic information
The processing of Age is mandatory. The remaining information is optional
We may process equal opportunities data for the purposes of monitoring and promoting equal opportunities within our organisation, complying with our obligations under laws relating to equal opportunities in employment
EY’s legitimate interest in human resource administration and finance
Compliance with a legal obligation
Consent
Equal opportunities data (eg, information relating to race or ethnicity, religion, health, and sexual orientation): processing is necessary in the field of employment, social security and social protection law; processing is necessary for reasons of substantial public interest and the relevant substantial public condition under the Data Protection Act 2018 is monitoring equality of opportunity and treatment
Criminal convictions data: information relating to unspent criminal convictions or offences
We may process criminal convictions data for the purposes of considering your suitability for the job that you are applying for
Compliance with a legal obligation (basic criminal record checks are regulatory requirements for most roles)
EY’s legitimate interest in hiring, promoting or assigning people to engagements that are trustworthy and suited for the roleTo the extent criminal data is processed: processing is necessary in the field of employment law; processing is necessary for the purposes of preventing fraud and regulatory requirements relating to, amongst other things, unlawful acts and dishonesty
Reasonable adjustments data: information related to whether you require any reasonable adjustments
We will not ask you for details of any relevant disability or health condition, but you may tell us if you consider that it is necessary for us to know this information
Performance of a contract - assessing the suitability of applicants for jobs with us
Compliance with a legal obligation
Equal opportunities data (information relating to health): processing is necessary in the field of employment, social security and social protection law; processing is necessary for reasons of substantial public interest and the relevant substantial public condition under the Data Protection Act 2018 is monitoring equality of opportunity and treatment
Assessment data: your answers and the results of the assessment and data generated by the assessment system
The source of the assessment data is you and the automated testing system used by us or our assessment service providers. We may process this assessment data for the purposes of assessing your suitability for the job you have applied for, and including reviews to check against plagiarism and use of OpenAI software
EY’s legitimate interests - assessing the suitability of applicants for jobs with us
N/A
Interview data: information about you recorded following an interview
The source of the interview data is you and the interviewers and/or assessors. This interview data may be processed for the purposes of assessing your suitability for the job you are applying for
Performance of a contract - assessing the suitability of applicants for jobs with us
EY’s legitimate interests - assessing the suitability of applicants for jobs with usN/A
Reference data: relating to your education history, employment history, your character, and your performance at work
The source of the reference data is the referees that you specify in your application. This reference data may be processed for the purposes of considering your application
EY’s legitimate interests - assessing the suitability of applicants
N/A
Contact Data: information contained in or relating to any communication that you send to us or that we send to you in connection with your application
For the purposes of communicating with you, responding to your queries, providing you with assistance in relation to your application, administering your application and our own record-keeping
Performance of a contract - proper administration of our business, recruitment in connection with our business and communications with relevant persons
N/A
Use of personal data in connection with legal claims - personal data identified in this table
Where necessary for the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure
EY’s legitimate interests - in the establishment, exercise, or defence of legal claims
To the extent criminal data is processed: processing is necessary in the field of employment law; processing is necessary for the purposes of preventing fraud and regulatory requirements relating to, amongst other things, unlawful acts and dishonesty
To the extent special categories of personal data are processed: processing is necessary in the field of employment, social security and social protection law; processing is necessary for the establishment, exercise or defence of legal claims
If your application is successful and you become an EY employee, we will provide a new privacy notice to you explaining our processing of employee personal data, which will supersede this notice.
3. Providing your personal data to others
EY Network: We may disclose the personal data described in section 2 to any relevant members of the global network of Ernst & Young firms if and insofar as this is reasonably necessary for the purposes set out in this notice.
Our insurers and professional advisers: We may disclose the personal data described in section 2 to our insurers and/or professional advisers if and insofar as reasonably necessary for the purposes of obtaining and maintaining insurance coverage, managing risks, obtaining professional advice and managing legal disputes.
Our suppliers and subcontractors: Some of the personal data described in section 2 may be shared with and/or processed and/or generated by our suppliers and subcontractors. Specifically, all personal data obtained through the online application system will be accessible to and processed by Amberjack Global Limited, which has developed and provided and hosts the online application system for the purposes of managing this recruitment round and carries out various recruitment and assessment activities on our behalf and on the basis of our instructions.
AmberTrack
AmberTrack is the system on which your information will be hosted on. This system hosts all student applicant information, including information from separate suppliers such as Cappfinity who provide the assessment which you may be required to undertake.
For clarity, AmberTrack is the name of the system on which your information will be processed. AmberTrack is created and owned by ‘Amberjack’.
Members of Amberjack’s staff (employees and contractors) will also access and process some of the personal data described in section 2 insofar as is reasonably necessary to carry out their allocated tasks in relation to this recruitment. Amberjack uses Microsoft Corporation, Amazon Web Services and Prodec Networks Ltd to host the online application system.Their processing is generally fully automated and does not involve individual staff accessing personal data, although this might happen in certain circumstances, such as when necessary to provide support services to Amberjack or when required by law to disclose certain information. Some of the personal data may also be shared with providers of online testing, such as Cappfinity, to be used as part of our assessment of applicants, insofar as is reasonably necessary to enable applicants to take the test and for the supplier to provide us with the results of the test.
For more information, please refer to the AmberTrack privacy notice on this page.
Cappfinity
Cappfinity Assessments (“Cappfinity”) is the platform on which any relevant assessments, prior to interview stage, will be conducted. The Tool assesses competencies and aptitude of candidates using a digital psychometric assessment based on game technology.
EY undertakes automated decision-making regarding applications based on the assessments from Cappfinity. For more information, please refer to the Cappfinity privacy notice on this page.
Rare
Rare is an optional service enabling applicants to have their application reviewed in context of their socio-economic background. A report is generated which contextualises each candidate’s academic performance against their socio-economic background, highlighting exceptional achievement relative to opportunity. This will be considered when reviewing individual applications, should they consent to have their data processed in this way. This is an optional service. For more information, please refer to the Rare privacy notice on this page.
4. International transfers of your personal data
In this section 4, we provide information about the circumstances in which your personal data may be transferred to countries outside the UK and European Economic Area (EEA).
This involves transferring personal data in various jurisdictions (including jurisdictions outside the UK and European Union) in which EY operates (EY office locations are listed at www.ey.com/ourlocations). EY will process your personal data in accordance with applicable law and professional regulations in your jurisdiction. Transfers of personal data within the EY network are governed by EY’s Binding Corporate Rules (www.ey.com/bcr).
5. Retaining and deleting personal data
This section 5 sets out our data retention policies and procedure, which are designed to help ensure that we comply with our legal obligations in relation to the retention and deletion of personal data.
Personal data that we process for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
- Successful applicants: data that you provide, or we otherwise obtain in connection with your application for a job, will be retained in line with our employee privacy notice, which will be provided to you along with your job offer
- Unsuccessful applicants: data that you provide, or we otherwise obtain in connection with your application for a job, will be retained up to shortly after the end of EY’s current recruitment cycle (each cycle ends 30 September).
Notwithstanding the other provisions of this section 5, we may retain your personal data where such retention is necessary for compliance with a legal obligation to which we are subject, in order to protect your vital interests or the vital interests of another natural person, or for the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure. In these circumstances we will only retain personal data for as long as is necessary for the relevant purposes and in any event for no longer than 7 years.
6. Security of personal data
EY is committed to making sure your personal data is secure. To prevent unauthorized access or disclosure, EY has technical and organizational measures to safeguard and secure your personal data. All EY personnel and third parties EY engages to process your personal data are obliged to respect your data’s confidentiality.
You should ensure that your passwords used to access the online application system are not susceptible to being guessed, whether by a person or a computer program. You are responsible for keeping the passwords confidential and we will not ask you for your passwords (except when you log in to the online application system).
7. Your rights
In this section 7, we have summarised the rights that you have under data protection law. Some of the rights are complex, and not all of the details have been included in our summaries. Accordingly, you should read the relevant laws and guidance from the regulatory authorities for a full explanation of these rights.
Your principal rights under data protection law in respect of your personal data that we process are:
- Right of access. You have the right to obtain a copy of your personal data;
- Right to rectification. You have the right to have your personal data amended if it is inaccurate;
- Right to erasure. In certain circumstances, you have the right to require us to erase your personal data if the continued processing of that personal data is not justified;
- Right to restriction. In certain circumstances, you have the right to require us to limit the purposes for which we process your personal data if the continued processing of the personal data in this way is not justified, such as where the accuracy of the personal data is contested by you; and
- Right to portability: In certain circumstances, you have the right to receive a copy of the personal data you have provided to us in a structured, commonly used, machine-readable format or to request the transfer of your personal data to another person.
You also have a right, in some circumstances, to object to any processing based on our legitimate interests. There may, however, be compelling reasons for continuing to process your personal data and we will assess and inform you if that is the case.
Please note that the above rights are not absolute, and we may be entitled to refuse requests, wholly or partly, where exceptions under the applicable law apply.
You may exercise any of your rights in relation to your personal data by emailing global.data.protection@ey.com.
8. Contact Us
If you have any questions or complaints about this Notice or how we use your personal data, please contact global.data.protection@ey.com.
You also have a right to lodge a complaint to the UK data protection authority. Please see www.ico.org.uk for further information on how to contact the Information Commissioner.
9. Updates to this Notice
We may update this notice at any time but if we do so, we will provide you with an updated copy of this notice as soon as reasonably practical. Further, see top of the notice for the date when this notice was last updated.
-
1. Introduction
This Privacy Notice is intended to describe the practices EY follows in relation to AmberTrack (“Tool”) with respect to the privacy of all individuals whose personal data is processed and stored in the Tool. This Privacy Notice should be read together with the EY student applicant privacy notice, the Cappfinity Assessments privacy notice and the Rare privacy notice. Please read this Privacy Notice carefully.
2. Who manages the Tool?
“EY” refers to one or more of the member firms of Ernst & Young Global Limited (“EYG”), each of which is a separate legal entity and can act as a data controller in its own right (i.e. act as a data controller or in a similar capacity). The entity that is acting as data controller (or similar capacity) by providing this Tool on which your personal data will be processed and stored is Ernst & Young LLP, 1 More London Place (‘EY’) (‘we’ or ‘us’). EY licenses the Tool from AmberJack Global Limited, Newbury House, 20 King Road, West Berkshire, RG14 5XR, United Kingdom.
The personal data in the Tool is shared by EY Services Limited with one or more member firms of EYG (see “Who can access your personal data” section below).
The Tool is hosted on servers in the UK.
3. Why do we need your personal data?
The Tool manages the early career recruitment application process to EY.
Your personal data processed in the Tool is used to host all relevant information relating to your application with EY.
EY relies on the several basis to legitimise the processing of your personal data in the Tool, please see the table below for more information.
In line with the table below processing of your personal data is sometimes necessary for the purposes of the legitimate interests pursued by the data controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. The specific legitimate interest(s) are listed in the table below.
You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you based on the below legitimate interest(s).
4. What type of personal data is processed in the Tool?
The Tool processes the personal data categories set out in the table below.
This data is sourced from you directly, and other third parties, such as Cappfinity. For further information regarding Cappfinity Assessments, which EY uses to make automated decisions, please see the appropriate privacy notice on this page and the EY student applicant privacy notice.
Personal data collected
Reason for processing
Lawful basis for the processing
Basis for processing special categories of personal data or data relating to criminal convictions and offences
Registration data: username, email address, and password
Creating a user account for you, enabling you to access your account once created, keeping your account secure and communicating with you in connection with your application.
Performance of a contract - enabling applicants to submit, and us to receive and consider, applications for jobs with us.
EY’s legitimate interest in processing and managing applications for roles at EY, including the screening and selection of candidates
N/A
Required verification data:
Passport number, passport expiry date, university Student ID number, and University or school admissions team contact namesThis information is required to verify your identity at point of offer to avoid against false or suspicious applications
EY’s legitimate interest in avoiding false, suspicious, or fraudulent activity within student applications to EY.
Username, email address, and Application data
Contacting you about subsequent job opportunities with us in the event that your application for this recruitment round is unsuccessful
EY’s legitimate interest in processing and managing applications for roles at EY, including the screening and selection of candidates
If you do not want us to use your username, email address, and Application Data in this way, you can request we stop at any time by sending us an email
N/A
Application data: contact details, educational and employment history, information about your skills, qualifications and experience and any other information we ask you to provide and/or which you choose to provide in your answers
For the purposes of considering your application for a job with us and communicating with you in connection with your application
Performance of a contract - assessing the suitability of applicants for jobs with us
EY’s legitimate interest in processing and managing applications for roles at EY, including the screening and selection of candidates
N/A
Equal opportunities data: Age, Gender, Race or ethnic origin, Religion or belief, Disability and Sexual Orientation
The processing of Age is mandatory. The remaining information is optional.
We may process equal opportunities data for the purposes of monitoring and promoting equal opportunities within our organisation, complying with our obligations under laws relating to equal opportunities in employment
EY’s legitimate interest in human resource administration and finance
Compliance with a legal obligation
Equal opportunities data (eg, information relating to race or ethnicity, religion, health, and sexual orientation): processing is necessary in the field of employment, social security and social protection law; processing is necessary for reasons of substantial public interest and the relevant substantial public condition under the Data Protection Act 2018 is monitoring equality of opportunity and treatment
Criminal convictions data: information relating to unspent criminal convictions or offences
We may process criminal convictions data for the purposes of considering your suitability for the job that you are applying for
Compliance with a legal obligation (basic criminal record checks are regulatory requirements for most roles).
EY’s legitimate interest in hiring, promoting or assigning people to engagements that are trustworthy and suited for the role
To the extent criminal data is processed: processing is necessary in the field of employment law; processing is necessary for the purposes of preventing fraud and regulatory requirements relating to, amongst other things, unlawful acts and dishonesty
Reasonable adjustments data: information related to whether you require any reasonable adjustments
We will not ask you for details of any relevant disability or health condition, but you may tell us if you consider that it is necessary for us to know this information
Performance of a contract - assessing the suitability of applicants for jobs with us.
Compliance with a legal obligation
Equal opportunities data (information relating to health): processing is necessary in the field of employment, social security and social protection law; processing is necessary for reasons of substantial public interest and the relevant substantial public condition under the Data Protection Act 2018 is monitoring equality of opportunity and treatment
Assessment data: your answers and the results of the assessment and data generated by the assessment system
The source of the assessment data is you and the automated testing system used by us or our assessment service providers. We may process this assessment data for the purposes of assessing your suitability for the job you have applied for and including reviews to check against plagiarism and use of OpenAI software
Assessment information is captured within a platform called Cappfinity Assessments. Please see their privacy policy on this page.
EY’s legitimate interests - assessing the suitability of applicants for jobs with us
N/A
Interview data: Information about you recorded following an interview
The source of the interview data is you and the interviewers and/or assessors. This interview data may be processed for the purposes of assessing your suitability for the job you are applying for
Performance of a contract - assessing the suitability of applicants for jobs with us
EY’s legitimate interests - assessing the suitability of applicants for jobs with us
N/A
Contact Data: information contained in or relating to any communication that you send to us or that we send to you in connection with your application
For the purposes of communicating with you, responding to your queries, providing you with assistance in relation to your application, administering your application and our own record-keeping
Performance of a contract - proper administration of our business, recruitment in connection with our business and communications with relevant persons
N/A
5. Sensitive Personal Data
Sensitive personal data reveals your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or data concerning sex life or sexual orientation.
The following sensitive personal data is collected and processed in the Tool should you wish to submit the below information:
- Racial or ethnic origin
- Sexual orientation
- Religion or belief
- Health (e.g. disabilities)
The provision of information relating to criminal convictions is mandatory for compliance with legal obligations – see above table for more information.
6. Who can access your information?
Your personal data is accessed in the Tool by the following persons/teams:
Role
Location
Purpose for which access is required
Level of access rights (e.g. read-only, edit, delete)
EY Recruiters
UK
Assess candidates and obtain information on the prioritisation/scoring of candidates and any potential follow ups.
Read, edit, delete.
Access rights restricted by country.
IBM
Canada, China, Czech Republic, Hungary, India, Malaysia, Mexico, Oceania, Philippines, Poland, UK and US
Maintenance and Support
Multiple
The access rights detailed above involves transferring personal data in various jurisdictions (including jurisdictions outside the European Union) in which EY operates (EY office locations are listed at www.ey.com/ourlocations). EY will process your personal data in the Tool in accordance with applicable law and professional regulations in your jurisdiction. Transfers of personal data within the EY network are governed by EY’s Binding Corporate Rules (www.ey.com/bcr).
We transfer or disclose the personal data we collect to third-party service providers (and their subsidiaries and affiliates) who are engaged by us to support our internal ancillary processes. For example, we engage service providers to provide, run and support our IT infrastructure (such as identity management, hosting, data analysis, back-up, security and cloud storage services) and for the storage and secure disposal of our hard copy files. It is our policy to only use third-party service providers that are bound to maintain appropriate levels of data protection, security and confidentiality, and that comply with any applicable legal requirements for transferring personal data outside the jurisdiction in which it was originally collected.
To the extent that personal data has been rendered anonymous in such a way that you or your device are no longer reasonably identifiable, such information will be treated as non-personal data and the terms of this Privacy Notice will not apply.
7. Data retention
Our policy is to retain personal data only for as long as it is needed for the purposes described in the section “Why do we need your personal data”. Retention periods vary in different jurisdictions and are set in accordance with local regulatory and professional retention requirements.
In order to meet our professional and legal requirements, to establish, exercise or defend our legal rights and for archiving and historical purposes, we need to retain information for significant periods of time.
The policies and/or procedures for the retention of personal data in the Tool are that your data will be retained up to shortly after the end of EY’s current recruitment cycle (each cycle ends 30 September).
Your personal data will be retained in compliance with privacy laws and regulations.
After the end of the data retention period, your personal data will be deleted or anonymized in the Tool.
8. Security
EY is committed to making sure your personal data is secure. To prevent unauthorized access or disclosure, EY has technical and organizational measures to safeguard and secure your personal data. All EY personnel and third parties EY engages to process your personal data are obliged to respect your data’s confidentiality.
9. Controlling your personal data
EY will not transfer your personal data to third parties (other than any external parties referred to in section 6 above) unless we have your permission or are required by law to do so.
You are legally entitled to request details of EY’s personal data about you.
To confirm whether your personal data is processed in the Tool or to access your personal data in the Tool, contact your usual EY representative or email your request to global.data.protection@ey.com.
10. Object, rectification, erasure, restriction of processing or data portability
You can confirm your personal data is accurate and current. You can request rectification, erasure, restriction of processing or a readily portable copy of your personal data by contacting your usual EY representative or by sending an e-mail to global.data.protection@ey.com
11. Complaints
If you are concerned about an alleged breach of privacy law or any other regulation, contact EY’s Global Privacy Leader, Office of the General Counsel, 6 More London Place, London, SE1 2DA, United Kingdom or via email at global.data.protection@ey.com or via your usual EY representative. An EY Privacy Leader will investigate your complaint and provide information about how it will be handled and resolved.
If you are not satisfied with how EY resolved your complaint, you have the right to complain to your country’s data protection authority. You can also refer the matter to a court of competent jurisdiction.
Certain EY member firms in countries outside the European Union (EU) have appointed a representative in the EU to act on their behalf if, and when, they undertake data processing activities to which the EU General Data Protection Regulation (GDPR) applies. Further information and the contact details of these representatives are available here.
12. Contact us
If you have additional questions or concerns, contact your usual EY representative or email global.data.protection@ey.com.
-
1. Introduction
This Privacy Notice is intended to describe the practices EY follows in relation to Cappfinity Assessments (“Tool”) with respect to the privacy of all individuals whose personal data is processed and stored in the Tool. This Privacy Notice should be read together with the EY student applicant privacy notice, the AmberTrack privacy notice and the Rare privacy notice. Please read this Privacy Notice carefully.
2. Who manages the Tool?
“EY” refers to one or more of the member firms of Ernst & Young Global Limited (“EYG”), each of which is a separate legal entity and can act as a data controller in its own right. The entity that is acting as data controller by providing this Tool on which your personal data will be processed and stored is Ernst & Young LLP, 1 More London Place (‘EY’) (‘we’ or ‘us’). EY Global Services Limited licenses the Tool from an external vendor, Capp & Co Limited (“Capp”) (2230-2235 Regents Court, The Crescent, Birmingham Business Park, B37 7YE).
The personal data in the Tool is shared by EY Global Services Limited with one or more member firms of EYG (see “Who can access your information” section below).
The Tool is hosted on servers externally by the vendor or its third-party hosting provider in the Rackspace data centre in Greater London, UK.
3. Why do we need your personal data?
Your personal data is required so you may undertake the relevant required assessments to proceed your application with us. The Tool assesses competencies and aptitude of candidates using a digital psychometric assessment based on game technology.
Your personal data processed in the Tool is used as follows:
Candidate response data is processed in the Tool using an algorithm. The resulting analysis is used with candidate identifiers in order to determine progression through the recruitment process. Progression is based entirely on assessment scores and not on demographic data. The assessment algorithm produces a score, from which EY undertakes automated decision-making.
Automated decision-making is when an electronic system (e.g., the Tool) uses personal data to make a decision without any human influence on the outcome. This means that, during the assessment, if you fail to meet the pass score, your application will be automatically rejected by EY without a human review. EY is allowed to use automated decision-making where it is necessary for performance of a contract with you and where appropriate measures are in place to safeguard your rights.
If you do not agree with the automated decision-making and would like to invoke your right to a review, you may appeal by contacting us at the email address in Section 12.
EY relies on the following basis to legitimise the processing of your personal data in the Tool:
Processing of your personal data is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. The specific legitimate interests are processing and managing applications for roles at EY and assessing the suitability of applicants for jobs with us.
You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you based on the above legitimate interest(s).
In order to proceed with student applications, you will be required to undertake the assessment on the Tool. This assessment procedures a score, which EY uses for automated decision-making against set criteria to determine a pass or fail mark. EY relies on performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering a contract.
Any results from the assessment will be transferred to AmberTrack as part of your application. To understand more about AmberTrack, please see the appropriate privacy notice on this page and the EY student applicant privacy notice.
4. What type of personal data is processed in the Tool?
The Tool processes the personal data categories listed below, along with the source of the data.
Personal data categories
Sourced from
EY Recruiters
Full name
Email address
Audit logs relating to user login
A feed from other EY Systems (SuccessFactors)
Candidates
Full name
Email address
Assessment data
Audit logs relating to user login
Candidate ID number
Video from the job simulation
A feed from AmberTrack
Provided directly by Candidates
5. Sensitive Personal Data
Sensitive personal data reveals your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or data concerning sex life or sexual orientation.
EY does not intentionally collect any sensitive personal data from you via Cappfinity Assessments. There is no intention to process such information on this Tool. Please note that AmberTrack may process sensitive personal data, if you have provided it in that tool.
6. Who can access your information?
Your personal data is accessed in the Tool by the following persons/teams:
Role
Location
Purpose for which access is required
Level of access rights (e.g. read-only, edit, delete)
EY Recruiters
Global (depending on where it is deployed)
Assess candidates and obtain information on the prioritisation/scoring of candidates and any potential follow ups.
Read, edit, delete
Access rights restricted by country.
EY Local Recruitment Leadership
Global (depending on where it is deployed)
Assess candidates and obtain information on the prioritization/scoring of candidates and any potential follow ups.
Update profiles and access rights of EY Recruiters.
Update local country instance of the Tool as needed.
Read, edit, delete and administrative rights
Candidates
Global (depending on where it is deployed)
View assessment results
Read-only
Capp users
UK
Maintenance and support
Read, write, edit, delete. Access to global data from UK location.
Tata Consultancy Services (TCS)
India and Mexico
Maintenance and support
Read, write, edit, delete. Access to global data from India and Mexico location.
IBM
Canada, China, Czech Republic, Hungary, India, Malaysia, Mexico, Oceania, Philippines, Poland, UK and US
Maintenance and support
Multiple
The access rights detailed above involves transferring personal data in various jurisdictions (including jurisdictions outside the European Union) in which EY operates (EY office locations are listed at www.ey.com/ourlocations). EY will process your personal data in the Tool in accordance with applicable law and professional regulations in your jurisdiction. Transfers of personal data within the EY network are governed by EY’s Binding Corporate Rules (Data Protection Binding Corporate Rules Program | EY - Global).
We transfer or disclose the personal data we collect to third-party service providers (and their subsidiaries and affiliates) who are engaged by us to support our internal ancillary processes. For example, we engage service providers to provide, run and support our IT infrastructure (such as identity management, hosting, data analysis, back-up, security and cloud storage services) and for the storage and secure disposal of our hard copy files. It is our policy to only use third-party service providers that are bound to maintain appropriate levels of data protection, security and confidentiality, and that comply with any applicable legal requirements for transferring personal data outside the jurisdiction in which it was originally collected.
To the extent that personal data has been rendered anonymous in such a way that you or your device are no longer reasonably identifiable, such information will be treated as non-personal data and the terms of this Privacy Notice will not apply.
7. Data retention
Our policy is to retain personal data only for as long as it is needed for the purposes described in the section “Why do we need your personal data”. Retention periods vary in different jurisdictions and are set in accordance with local regulatory and professional retention requirements.
In order to meet our professional and legal requirements, to establish, exercise or defend our legal rights and for archiving and historical purposes, we need to retain information for significant periods of time.
The policies and/or procedures for the retention of personal data in the Tool are:
- successful applicants: your data will be retained up to shortly after the end of the September from when you take up your place as an EY employee (this is to ensure the overall integrity of the student application process and avoid you having to repeat the assessment if taken as an internship application or should you defer your joining EY)
- unsuccessful applicant: your data will be retained up to 12 months after taking the assessment (this is to ensure the overall integrity of the student application process).
Your personal data will be retained in compliance with privacy laws and regulations.
After the end of the data retention period, your personal data will be deleted or anonymized in the Tool.
8. Security
EY is committed to making sure your personal data is secure. To prevent unauthorized access or disclosure, EY has technical and organizational measures to safeguard and secure your personal data. All EY personnel and third parties EY engages to process your personal data are obliged to respect your data’s confidentiality.
9. Controlling your personal data
EY will not transfer your personal data to third parties (other than any external parties referred to in section 6 above) unless we have your permission or are required by law to do so.
You are legally entitled to request details of EY’s personal data about you.
To confirm whether your personal data is processed in the Tool or to access your personal data in the Tool, contact your usual EY representative or email your request to global.data.protection@ey.com.
10. Object, rectification, erasure, restriction of processing or data portability
You can confirm your personal data is accurate and current. You can request rectification, erasure, restriction of processing or a readily portable copy of your personal data by contacting your usual EY representative or by sending an e-mail to global.data.protection@ey.com.
11. Complaints
If you are concerned about an alleged breach of privacy law or any other regulation, contact EY’s Global Privacy Leader, Office of the General Counsel, 6 More London Place, London, SE1 2DA, United Kingdom or via email at global.data.protection@ey.com or via your usual EY representative. An EY Privacy Leader will investigate your complaint and provide information about how it will be handled and resolved.
If you are not satisfied with how EY resolved your complaint, you have the right to complain to your country’s data protection authority. You can also refer the matter to a court of competent jurisdiction.
Certain EY member firms in countries outside the European Union (EU) have appointed a representative in the EU to act on their behalf if, and when, they undertake data processing activities to which the EU General Data Protection Regulation (GDPR) applies. Further information and the contact details of these representatives are available here.
12. Contact us
If you have additional questions or concerns, contact your usual EY representative or email global.data.protection@ey.com.
-
1. Introduction
This Privacy Notice is intended to describe the practices EY follows in relation to the Enboarder Limited (“Enboarder”) with respect to the privacy of all individuals whose personal data is processed and stored in Enboarder.
2. Who manages Enboarder?
“EY” refers to one or more of the member firms of Ernst & Young Global Limited (“EYG”), each of which is a separate legal entity and can act as a data controller in its own right. The entity that is acting as data controller by providing Enboarder on which your personal data will be processed and stored is EY LLP.
The personal data you provide in Enboarder is shared by EY LLP with one or more member firms of EYG (see “Who can access your information” section below).
Enboarder is hosted on servers in EMEA: Frankfurt Data Centre.
3. Why do we need your information?
Enboarder is a software platform used by EY to enhance the onboarding and pre-boarding experience for new hires by providing personalised communication and interactive features helping future employees build connections and feel included before their official start date.
Your personal data processed in Enboarder is used as follows:
The personal information processed in the tool, such as application data sources from the EY recruitment systems (SuccessFactors, AmberJack), is primarily used to contact the user following the acceptance of an offer. This communication provides details about the next steps in the onboarding journey and information about the company, including assistance related to employment.
Personal information directly sourced from the user, such as a personal photo, LinkedIn profile, is optional and is utilised to help users build connections and foster a sense of community within their cohort
Employment information data, which is sourced from the EY Employee file and includes details such as service line, job title, and office location for EY employees, is also used to provide information about key contacts and to facilitate networking within the cohort.
EY relies on the following basis to legitimise the processing of your personal data in Enboarder: Processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, and processing is necessary for the performance of a contract with the individual.
The provision of your personal data to EY is optional.
4. What type of personal data is processed in Enboarder?
The Tool processes the personal data categories set out in the table below.
Enboarder processes these personal data categories: Name, Last name, Email, Phone Number, Address, Personal Photo, Office location, LinkedIn profile link, Service line, Sub service line, and Job title.
Personal data collected
Reason for processing
Lawful basis for the processing
Basis for processing special categories of personal data or data relating to criminal convictions and offences
Application Data: Name, Last Name, Email Address, Phone Number, Address
Creating a user account in Enboarder enabling end user to access the account once created and communicating with the user in connection with the employment with EY
Performance of a contract
N/A
Personal information directly sourced from the user: Personal photo, LinkedIn profile
Data is utilised to help users build connections and foster a sense of community within their cohort
Legitimate Interests
N/A
Employment information data sourced from the EY Employee file: Name, Last name, Job Title, Service line, Sub service line and office location for EY employees
Data is used to provide information about key contacts and to facilitate networking within the cohort
Performance of a contract
N/A
This data is sourced directly from EY systems.
5. Sensitive Personal Data
Sensitive personal data reveals your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or data concerning sex life or sexual orientation.
EY does not intentionally collect any sensitive personal data from you via Enboarder. There is no intention to process such information.
6. Who can access your information?
Your personal data is accessed in Enboarder by the following persons/teams:
· EY Talent Acquisition team
The access rights detailed above involves transferring personal data in various jurisdictions (including jurisdictions outside the European Union) in which EY operates (EY office locations are listed at www.ey.com/ourlocations). EY will process your personal data in Enboarder in accordance with applicable law and professional regulations in your jurisdiction. Transfers of personal data within the EY network are governed by EY’s Binding Corporate Rules (www.ey.com/bcr).
· End Users
The information processed within the tool is accessible to users through the Connection Cards functionality of Enboarder. Enboarder is designed to facilitate engagement and networking among users by allowing them to view certain limited personal information of other users, such as names, photos, LinkedIn profiles, and employment details. This functionality aims to help users build connections and foster a sense of community within their cohort.
Access to this information is limited to users within the same onboarding group or cohort, ensuring that only relevant parties have visibility into personal data for networking purposes. Enboarder also employs strict access controls and data security measures to ensure that personal information is protected and only shared within the scope necessary to achieve its intended purpose.
Role
Location
Purpose for which access is required
Level of access rights (e.g. read-only, edit, delete)
EY Talent Acquisition team
UK
Assess candidates and monitor and manage the preboarding and onboarding process ensuring users receive timely and accurate information about EY and their next steps.
Read, edit, delete
End Users
UK
End users are granted access to the connection cards of their peers within Enboarder to foster engagement, collaboration, and networking
Limited Read-only access
Enboarder
UK, India
Customer support and service
Read, edit, delete
7. Data retention
In relation to the retention of personal data in Enboarder the personal data is automatically deleted after 90 days of inactivity.
Your personal data will be retained in compliance with privacy laws and regulations.
After the end of the data retention period or when the purpose for processing (see question 3 above) is complete, your personal data will be deleted.
8. Security
EY is committed to making sure your personal data is secure. To prevent unauthorized access or disclosure, EY has technical and organizational measures to safeguard and secure your personal data. All EY personnel and third parties EY engages to process your personal data are obliged to respect your data’s confidentiality.
9. Controlling your personal data
EY will not transfer your personal data to third parties (other than any external parties referred to in section 6 above) unless we have your permission or are required by law to do so.
You are legally entitled to request details of EY’s personal data about you.
To confirm whether your personal data is processed in Enboarder or to access your personal data in the Enboarder, contact your usual EY representative or email your request to global.data.protection@ey.com.
10. Rectification, erasure, restriction of processing or data portability
You can confirm your personal data is accurate and current. You can request rectification, erasure, restriction of processing or a readily portable copy of your personal data by contacting your usual EY representative or by sending an e-mail to global.data.protection@ey.com
11. Complaints
If you are concerned about an alleged breach of privacy law or any other regulation, contact EY’s Global Privacy Officer, Office of the General Counsel, 6 More London Place, London, SE1 2DA, United Kingdom or via email at global.data.protection@ey.com or via your usual EY representative. An EY Privacy Officer will investigate your complaint and provide information about how it will be handled and resolved.
If you are not satisfied with how EY resolved your complaint, you have the right to complain to your country’s data protection authority. You can also refer the matter to a court of competent jurisdiction.
12. Contact us
If you have additional questions or concerns, contact your usual EY representative or email global.data.protection@ey.com.
-
Last updated: 11/12/25
1. Introduction
This Privacy Notice is intended to describe the practices EY follows in relation to the TopScore Technologies Limited (“the Tool”) with respect to the privacy of all individuals whose personal data is processed and stored in the Tool.
2. Who manages TopScore Technologies Limited?
“EY” refers to one or more of the member firms of Ernst & Young Global Limited (“EYG”), each of which is a separate legal entity and can act as a data controller in its own right. The entity that is acting as data controller by providing the Tool on which your personal data will be processed and stored is EY UK LLP.
The Tool is hosted on servers in the UK.
3. Why do we need your information?
We collect your personal information to support the EY UKI Student Recruitment team in managing assessment events. This includes scheduling interviews and assessment exercises, enabling you to complete assessments on a single platform, and allowing assessors to submit scores. Your information helps EY identify the strongest candidates based on total scores and make decisions about progressing applicants to interviews or offers. Your name and email address are used so that we can match your assessment results to your application.
EY replies on the following legal basis to process your personal data:
- Where processing is necessary for the purpose of legitimate interest pursued by the controller. EY has a legitimate interest in running an effective recruitment process.
- Where that processing is necessary for the performance of a contract in order to take steps at the request of the data subject prior to entering into a contract. Your personal data will be processed by the Tool for the next steps to entering into a contract.
4. What type of personal data is processed in the Tool?
The Tool processes these personal data categories:
- Full name
- Email address
5. Sensitive Personal Data
Sensitive personal data reveals your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or data concerning sex life or sexual orientation.
EY does not intentionally collect any sensitive personal data from you via the Tool. There is no intention of processing such information.
6. Who can access your information?
Your personal data is accessed in the Tool by the following persons/teams:
Organisation (EY, Client name, Third party name)
EY employee, Client employee, Third party employee, Public
Number of individuals with access (estimate if you do not know exact number)
Location of individuals with access
Reason for access
Level of access
EY
Specific EY employees
50
UK
Admin user
Admin
EY
Specific EY employees
1500
UK
Assessor User
Assessing
EY
Specific EY employees
1500
UK
Interview User
Interviewing
TopScore
Third Party
20
UK
Customer Support
Admin
Candidates
Public
Global
Applying to roles at EY
Candidate access only
7. Data retention
Personal data that you provide will be retained up to 6 months after the end of EY’s current recruitment cycle (each cycle ends 30 September). Depending on when you apply, your data may be kept up to 18 months. Your personal data will be retained in compliance with privacy laws and regulations. After the end of the data retention period or when the purpose for processing (see question 3 above) is complete, your personal data will be deleted.
8. Security
EY is committed to making sure your personal data is secure. To prevent unauthorized access or disclosure, EY has technical and organizational measures to safeguard and secure your personal data. All EY personnel and third parties EY engages to process your personal data are obliged to respect your data’s confidentiality.
9. Controlling your personal data
EY will not transfer your personal data to third parties (other than any external parties referred to in section 6 above) unless we have your permission or are required by law to do so.
You are legally entitled to request details of EY’s personal data about you.
To confirm whether your personal data is processed in the Tool or to access your personal data in the Tool, contact your usual EY representative or email your request to global.data.protection@ey.com.
10. Rectification, erasure, restriction of processing or data portability
You can confirm your personal data is accurate and current. You can request rectification, erasure, restriction of processing or a readily portable copy of your personal data by contacting your usual EY representative or by sending an email to global.data.protection@ey.com.
11. Complaints
If you are concerned about an alleged breach of privacy law or any other regulation, contact EY’s Global Privacy Officer, Office of the General Counsel, 1 More London Place, London, SE1 2AF, United Kingdom or via email at global.data.protection@ey.com or via your usual EY representative. An EY Privacy Officer will investigate your complaint and provide information about how it will be handled and resolved.
If you are not satisfied with how EY resolved your complaint, you have the right to complain to your country’s data protection authority. You can also refer the matter to a court of competent jurisdiction.
12. Contact us
If you have additional questions or concerns, contact your usual EY representative or email global.data.protection@ey.com.
-
1. Introduction
This Privacy Notice is intended to describe the practices EY follows in relation to RARE (“Tool”) with respect to the privacy of all individuals whose personal data is processed and stored in the Tool. This Privacy Notice should be read together with the EY Early Careers applicant privacy notice, the AmberTrack privacy notice and the Cappfinity Assessments privacy notice. Please read this Privacy Notice carefully.
2. Who manages the Tool?
“EY” refers to one or more of the member firms of Ernst & Young Global Limited (“EYG”), each of which is a separate legal entity and can act as a data controller in its own right (i.e. act as a data controller or in a similar capacity). The entity that is acting as data controller (or similar capacity) by providing this Tool on which your personal data will be processed and stored is Ernst & Young LLP, 1 More London Place (‘EY’) (‘we’ or ‘us’). EY licenses the Tool from Rare Recruitment Limited, 21-22 Great Sutton Street, London EC1V 0DY.
The personal data in the Tool is shared by EY Services Limited with one or more member firms of EYG (see “Who can access your personal data” section below).
The Tool is hosted on servers in the UK.
3. Why do we need your personal data?
The Tool is part of the Early Careers recruitment application process to EY.
Your personal data processed in the Tool as follows:
As part of your Early Careers application, you can complete a set of questions which relate to your socioeconomic background. Providing the answers to these questions is completely optional.
The Tool will be provided with your responses to these questions only, so your data is anonymised for the analysis they conduct. The Tool will analyse your responses and provide EY recruiters with a report, in AmberTrack, on your socioeconomic background.
The tool generates a report that contextualises each candidate’s academic performance against their social background, highlighting exceptional achievement relative to opportunity through specific flags and a Performance Index based on academic performance.
RARE flags are assigned to a candidate based on the answers to the contextual questions about socioeconomic, personal and educational background. This report is transferred to the Application Tracking System, AmberTrack, and used during screening, but not final hiring stages.
The EY recruiters will review to fairly assess potential, ensuring that RARE flags inform but do not exclude candidates. The process is designed to maximise fairness and transparency, with candidates assured that providing contextual data will not negatively impact their application.
EY relies on consent as the basis for the processing of your personal data in the Tool.
You have the right to object at any time, to the processing of personal data.
4. What type of personal data is processed in the Tool?
The Tool processes the following personal data:
- Your home postcode at the age of 16
- Whether you received free school meals
- Whether you undertook paid work during the ages of 16-18
- If you are the first generation in your family to attend university
- If you did significant part-time work when aged 16 to 18 or during university term time
- Whether you are a refugee/asylum seeker
- Whether you spent time in social care
- Whether you are/were a young parent or carer
- The occupation of main household earner when you were aged 14
5. Special Category Personal Data
Special Category personal data reveals your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or data concerning sex life or sexual orientation.
EY does not intentionally collect any special category personal data from you via the RARE questionnaire. There is no intention to process such information on this Tool. However, personal information processed can be considered sensitive.
6. Who can access your information?
Your personal data is accessed in the Tool by the following persons/teams:
Role
Location
Purpose for which access is required
Level of access rights (e.g. read-only, edit, delete)
EY Recruiters
UK
To review as part of the shortlisting process
Read-only
Talent
UK
Assess candidates applications and obtain information for application screening, interview scheduling and pre-boarding purposes.
Read-only
GDS
Argentina, Hungary, India, Philippines, Poland, Sri Lanka, Mexico, Spain and the United Kington
Helpline support, allowing the team to review status and notes in order to support or escalate where required.
Read-only
Ambertrack staff
UK
Hosts the tool
Read-only
RARE staff
UK
To review anonymised data as part of reporting
Read-only
Candidates
Global
To apply for Early Careers roles
Read, edit – only data related to their own application
The access rights detailed above involves transferring personal data in various jurisdictions (including jurisdictions outside the European Union) in which EY operates (EY office locations are listed at www.ey.com/ourlocations). EY will process your personal data in the Tool in accordance with applicable law and professional regulations in your jurisdiction. Transfers of personal data within the EY network are governed by EY’s Binding Corporate Rules (www.ey.com/bcr).
We transfer or disclose the personal data we collect to third-party service providers (and their subsidiaries and affiliates) who are engaged by us to support our internal ancillary processes. For example, we engage service providers to provide, run and support our IT infrastructure (such as identity management, hosting, data analysis, back-up, security and cloud storage services) and for the storage and secure disposal of our hard copy files. It is our policy to only use third-party service providers that are bound to maintain appropriate levels of data protection, security and confidentiality, and that comply with any applicable legal requirements for transferring personal data outside the jurisdiction in which it was originally collected.
To the extent that personal data has been rendered anonymous in such a way that you or your device are no longer reasonably identifiable, such information will be treated as non-personal data and the terms of this Privacy Notice will not apply.
7. Data retention
Our policy is to retain personal data only for as long as it is needed for the purposes described in the section “Why do we need your personal data”. Retention periods vary in different jurisdictions and are set in accordance with local regulatory and professional retention requirements.
In order to meet our professional and legal requirements, to establish, exercise or defend our legal rights and for archiving and historical purposes, we need to retain information for significant periods of time. The policies and/or procedures for the retention of personal data in the Tool are that your data will be retained up to shortly after the end of EY’s current recruitment cycle (each cycle ends 30 September). Your personal data will be retained in compliance with privacy laws and regulations.
After the end of the data retention period, your personal data will be deleted or anonymized in the Tool.
8. Security
EY is committed to making sure your personal data is secure. To prevent unauthorised access or disclosure, EY has technical and organisational measures to safeguard and secure your personal data. All EY personnel and third parties EY engages to process your personal data are obliged to respect your data’s confidentiality.
9. Controlling your personal data
EY will not transfer your personal data to third parties (other than any external parties referred to in section 6 above) unless we have your permission or are required by law to do so. You are legally entitled to request details of EY’s personal data about you.
To confirm whether your personal data is processed in the Tool or to access your personal data in the Tool, contact your usual EY representative or email your request to global.data.protection@ey.com.
10. Objection, rectification, erasure, restriction of processing or data portability
You can confirm your personal data is accurate and current. You can request rectification, erasure, restriction of processing or a readily portable copy of your personal data by contacting your usual EY representative or by sending an e-mail to global.data.protection@ey.com
11. Complaints
If you are concerned about an alleged breach of privacy law or any other regulation, contact EY’s Global Privacy Leader, Office of the General Counsel, 1 More London Place, London, SE1 2AF, United Kingdom or via email at global.data.protection@ey.com or via your usual EY representative. An EY Privacy Leader will investigate your complaint and provide information about how it will be handled and resolved.
If you are not satisfied with how EY resolved your complaint, you have the right to complain to your country’s data protection authority. You can also refer the matter to a court of competent jurisdiction.
Certain EY member firms in countries outside the European Union (EU) have appointed a representative in the EU to act on their behalf if, and when, they undertake data processing activities to which the EU General Data Protection Regulation (GDPR) applies. Further information and the contact details of these representatives are available here.
12. Contact us
If you have additional questions or concerns, contact your usual EY representative or email global.data.protection@ey.com.